NGOs Targeted with Backdoors

We have found evidence that the human rights organization found affected by a website compromise is not the only intended target for the attack.

The website was said to have an iframe that redirected users to another compromised site in Brazil. The site executed a malicious Java applet detected as JAVA_DLOAD.ZZC. JAVA_DLOAD.ZZC leverages a vulnerability in Java CVE-2011-3544 to install TROJ_PPOINTER.SM, which in turn drops BKDR_PPOINTER.SM. BKDR_PPOINTER.SM connects to a certain URL to send and receive commands from the attacker. It is also capable of gathering certain information about the affected system.

Based on our investigation, it seems that the initially reported affected organization is just one of the targets in this attack and that the attack itself is fashioned specifically for the targets. We studied the related files and URLs, and found that the string related to the human rights organization was used as the name for both the inserted folder and file in the compromised Brazilian website:

hxxp://{BLOCKED}.com.br/cgi-bin/ai/ai.html

hxxp://{BLOCKED}.com.br/cgi-bin/ai/ai.jar

Furthermore, the code of the file retrieved from the URLs above indicate that it was a payload specifically intended for the said human rights organization, as it has related strings mentioned in its code:

Trend Micro Researcher Nart Villenueve checked on this, and found other folder and file combinations hosted on the same compromised website, but with different strings. This strongly suggests the existence of other targets.

hxxp://{BLOCKED}.com.br/cgi-bin/hk/hk.html

hxxp://{BLOCKED}.com.br/cgi-bin/hk/hk.jar

hxxp://{BLOCKED}.com.br/cgi-bin/so/so.html

hxxp://{BLOCKED}.com.br/cgi-bin/so/so.jar

hxxp://{BLOCKED}.com.br/cgi-bin/OM/om.html

hxxp://{BLOCKED}.com.br/cgi-bin/OM/om.jar

The files retrieved from these URLs also had the same strings in their code, similar to the AI case we’ve explained before. The said malicious files are now also detected as JAVA_DLOAD.ZZC and BKDR_PPOINTER.SM.

The home page of the affected human rights organization has been a target at least a couple of times within the past several months, showing how determined cybercriminals are to target the frequent visitors of this site. As of this writing, the site is clean of the malicious code. Site owners of special interest sites catering to particular demographics, organizations or groups of like-minded individuals should be just as cautious about these kinds of attacks as corporations and businesses.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:

Security Predictions for 2018

Attackers are banking on network vulnerabilities and inherent weaknesses to facilitate massive malware attacks, IoT hacks, and operational disruptions. The ever-shifting threats and increasingly expanding attack surface will challenge users and enterprises to catch up with their security.Read our security predictions for 2018.

Business Process Compromise

Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more,
read our Security 101: Business Process Compromise.